Kaspersky Lab experts have recently discovered a security vulnerability in UEFI firmware, and this vulnerability was detected while studying the Firmware Scanner logs at the end of 2021.
During the further analysis, they found that the threat actors had modified one of the components in the firmware image that enabled the attackers to change the execution chain in UEFI and then inject the malicious code that runs at the startup of the machine.
On the victim’s network, the components of the modified firmware and other artifacts of malicious activity were analyzed, and it’s been detected that the malicious code which was implanted into the UEFI firmware was dubbed as “MoonBounce.”
Here we have mentioned all the other malware, stagers, and post-exploitation malware implants that were used by the Chinese-speaking attackers:-
Moreover, this MoonBounce implant targets the organizations that are in command of several corporations dealing with transport technology. In short, their target is the transport sector.
MoonBounce offers a distinctive feature that enables the MoonBounce to remain un-hidden in the ESP (EFI System Partition), and it’s the section where the UEFI code is located; but, in this situation with an active implant, it is immediately embedded in the SPI flash memory, that is located on the motherboard.
Here, the malware can be launched in both situations, which implies:-
While on the infected device until the SPI memory is flashed, which is a very complicated process until the motherboard is replaced, the bootkit will remain over there.
The MoonBounce is the third UEFI bootkit that was capable of infecting SPI memory, but, apart from this, the previous two cases are:-
The MoonBounce was used as a form to maintain access to the infected host and then in the second stage of the attack deploy the malware.
While it’s been confirmed by the experts that during their analysis they found MoonBounce was deployed once so far on the network of an unnamed transport company.
Since MoonBounce and other malware found on the victim’s network constantly contacted the server infrastructure, from where the APT41 group command all its instructions.
So, they have speculated that the operators behind the MoonBounce malware could be a Chinese cyber-espionage group that is dubbed as “APT41.” What is not clear till now is the installation procedure of MoonBounce.
But, still, cybersecurity researchers are analyzing the MoonBounce closely to get all the key details.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates
The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …
INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…
Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…
A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…
Recent research has linked a series of cyberattacks to The Mask group, as one notable…
RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…